SOC 1SM compliance audits, also known as Statement on Standards for Attestation Engagements (SSAE) 18 have only been available since June 2011. Prior to that, the available audit standard for service organizations was the Statement for Auditing Standard no. 70 (SAS 70). To meet the needs of the current marketplace, the SAS 70 standard was superseded by the SSAE 16, which further got superseded by the current SOC standard, the SSAE 18, which went into effect May 1, 2017.
What is a SOC 1 Report?
A SOC 1SM compliance report is an internal control audit prepared exclusively for Service Organizations. It’s a required restricted-use report that can only be distributed to existing customers and their auditors; not prospects. If a service organization’s clients have their financials audited, a SOC 1SM report gives those clients’ auditors assurance that proper controls are implemented, operational, and effective.
Who Needs a SOC 1 Audit and When Should It Be Performed?
As mentioned, SOC 1 audits are required for organizations that provide some sort of outsourced services for customers and clients. These types of businesses include, but are not limited to:
- Software-As-A-Service (SaaS) companies (FinTech platforms, sales platforms)
- Processing companies (payroll processing, claims processing)
- Loan servicing companies
In most cases, an organization’s customers will reach out and request a SOC 1 report when their auditors require one. However, many organizations opt to get a SOC 1 audit performed in lieu of having to answer the multiple security questionnaires they receive from various clients if allowed.
The Difference Between SOC Type 1 and Type 2 Reports
There are two main types of SOC 1 audits – the Type I and Type II reports. Each report covers three important areas:
- Mangement’s Assertion
- Mangement’s Description of the System
- Design of the Controls and Test Results
However, there are some important differences between the two reports:
- The Type 1 Audit – A SOC 1SM Type 1 report is a point-in-time report that audits the controls on a specific date.
- The Type 2 Audit – A SOC 1SM Type 2 report audits the controls over a period of time, typically a full year. It also determines the effectiveness of the control activities from a financial auditing standpoint.
SOC 1 Type 2 audits are not to be confused with SOC 2 audits, which is a different type of SOC compliance report altogether. The AICPA also released a fourth type of audit, the SOC for Cybersecurity report, in May 2018. Unlike SOC 1 and SOC 2 reports, the SOC for Cybersecurity audit can be performed by any type of organizations, and it provides an in-depth evaluation of a company’s cybersecurity risk management program.
Looking to prepare for an upcoming SOC 1 compliance audit? Download your free copy of our SOC 1 reporting guide today.
Ensuring SOC 1 Compliance
Are you looking for a SOC 1 audit report? Before beginning your SOC 1 compliance journey, it’s important to understand the basics of the SSAE 18 and internal control reporting in general. Do you know what your SOC auditor will be looking for? Here are some preliminary questions to consider before speaking with an accredited SOC professional.
A Quick SOC 1 Compliance Checklist
- Does your organization have a defined organizational structure?
- Has your organization designated authorized employees to develop and implement policies and procedures?
- What is your organization’s background screening procedure?
- Does your organization have established workforce conduct standards?
- Do clients and employees understand their role in using your system or service?
- Has your organization performed a formal risk assessment?
- Does your organization perform regular vendor management assessments?
- Has your organization developed policies and procedures that address all controls?
- Does your organization perform an annual policy and procedure review?
If you’re unsure of the answers to these questions or don’t think your organization has controls in place, don’t worry. Before getting a SOC 1 report, you’ll need to engage with an advisor to address any compliance concerns and map out the policies and procedures to be evaluated by the audit.
SOC Audit Seal